It's a step in the right direction, but it's still centralized. A lot of the work done by the Indie Web community around IndieAuth[1] is really attractive. Your identity is your domain, and you can change how your domain says you're allowed to authenticate. Now you can even use sign-in with google without getting locked out should you loose your google account.
Aligns really well with using your own domain for email instead of gmail.
I hadn't heard of either Promise or IndieAuth before reading this thread, so apologies if this is a dumb question. But one of the benefits of Promise is that it's pseudonymous:
> You will get a unique identity pr. service you use. This ensures that relying parties have no way to profile you across services.
For me, this is actually the biggest reason that I stopped using social sign-ins. It's not that Google might disable my account one day; it's more that I don't want Google or Facebook tracking me.
How does a decentralized system handle this? If my identity is my domain, doesn't that mean that all these websites now have a unique id which they can use to join together all their separate pieces of data about me?
You're right, all the websites could band together to coordinate and share that the same person logged into each site. They do this today with email addresses and phone numbers explicitly (and implicitly with "advertising IDs" and the like). The Facebook "like" button and Google analytics are both tools to make it easier to track you around the web. Getting away from being able to track you around the web is going to take a lot more than just an anonymous ID as your login credential.
That said, the unique identity is still valuable--Apple offers this with their third party sign in[1]. Practically, if everyone was using self-hosted identity, then the tools would probably make it easy for you to create and track your own new identities for each service you use. This isn't build into something like IndieAuth today, but with the right DNS settings you could have arbitrary subdomains return the same authentication options and act as easy-to-use "sub identities".
Being pseudonymous is one of the main selling points of Promise.
Only by being pseudonymous can it provide the level of privacy that should be expected from the global authentication infrastructure that Promise wants to be.
Isn't that a problem, like "let's get rid of Google and all the evildoers because they know too much about us" then "oh we realize we created another one which knows too much about us"?
I get where you're coming from, and this is something I've been thinking a lot about.
It would be possible to not save the map, and then use some kind of hashing to infer user ids for each site. I chose not to do this, to be able to guarantee no collisions. This might be silly, though. But the thought of people with colliding user ids makes me giddy.
The data stored looks something like this:
{
"ids": {
"example.com": {
"07c5c163-875f-424c-a659-a4f99e74eb12": "default"
},
"other-example.com": {
"ab38b2a6-d560-43d3-b2a3-9148cd91d1b4": "default"
}
}
}
Worth noting is, that there is no personally identifiable information (PII) here.
But we have to have the discussion if this is "too much" data to keep about a user. AFAIK this is the bare minimum of data needed, to be able to guarantee no collisions of user ids. If there is another way to do it, we should do that!
> Self-sovereign
You manage your identities and attributes locally on your computer. No need to trust a third party service with your data.
Why do people assume that is a good thing? I do cybersecurity at work (among other things) and it takes a lot of effort to keep things both available and secure. My home PC, not to mention PCs of my friends, are never going to be as secure.
A system which has a chance will have to be federated, not local-only.
I work in crypto and we sell a hardware device to keep your seed phrase secure and the physical device is required to sign transactions.
But then you should listen to the advice we're given if we use one for personal use.
1. buy two devices
2. Generate a phrase on one then import to the other
3. Put the second one in a safety deposit box in another city or state, or a safe with a family member also out of the city or state.
4. Keep a copy of the phrase on steel seed phrase tool (Steely, etc)
5. Mount the steel seed phrase backup inside of a wall of your house and plaster and paint over it.
6. If your phrase ever gets seen by any electronic means, it's compromised and the process must be redone (note that importing uses a randomly shuffled alphabet on the device to make MITM or keylogging attacks unusable).
So... Security is hard. We should build systems that make it easy. There should be ways to recover from backups of a service goes offline, but we can't expect everyone to make good decisions.
Not to mention having passwords synced between devices and available on demand is really a requirement of you use random passwords for every site and need to log into something (heaven forbid) on someone else's device.
Most people are not trying to stop a determined attacker. Most people just want random people to not get be able to get into their stuff--same as a physical lock.
They carry a physical key on their person. It's not too much to ask them to carry a "digital" key on their key ring.
The problem is that most "digital" keys are a pain in the ass:
1) Mostly because everybody wants to "centralize" authentication so that they can charge you and administrate you.
2) Secondarily because there is no good solution for talking to the key on your person. NFC sucks. USB requires that I plug my key in. WiFi requires that the device be able to hit your network. BLE has no access from web pages.
BLE is probably the best choice, but there is no real money in making it work.
I'm a bit divided on whether or not the "centralized" thing is actually a problem Promise should tackle.
On one hand, I want to tell you that Promise is only centralized by default. Which is good for people that doesn't understand what a OpenID/IndieAuth Provider is. But as Promise is open source and the protocol caters for it, it is possible to have Promise redirect authentication requests to your own instance. Which then redirects you back to the relying party you want to sign in to. So it is possible to decentralize if that is what you want
On the other hand, I'm not sure it's a good idea to do it. Centralizing gives a lot of benefits. User experienc being one, but also being able to roll out eg. security updates quickly. But sure, centralization also creates problems.
But until now, I have a feeling that the problems with centralization, can be solved by other measures than going decentralized. Eg. being a non-profit organisation owned by the relying parties. This would guard against a lot of the problems with being centralized.
And I'm still to encounter a decentralized solution with a reasonable user experience for most people. OpenID, IndieAuth, SQRL, re:claimID, I'm looking at you. Sorry.
You're right that the user experience is a huge blocker, but I think that's something we as authors of tools can improve on. For example, there's a Wordpress plugin that lets your Wordpress site act as an IndieAuth identity[1]. That makes it pretty usable from and end-user perspective.
The challenge with centralized is that it is a single point of failure. The original post was more focused on "If you get locked out of google, you get locked out of everything". In that vein if promise gets hacked/bought/abandoned/changes it's business model etc.. then you lose all your accounts. The anonymous nature of it is great, but this is something Apple already offers with their sign-in with apple which is already widely supported and with the proxy-email solution you can still be contacted by the sites you're signing up with.
I got interested in IndieAuth because of a project of mine[2], trying to make it really easy for everyone to self-host their facebook/twitter equivalent with direct control over who has access. This runs into the problem with wide adoption where you have a separate credential for each of your friends' blogs. With IndieAuth built into the self-hosted platform, then your own self-hosted site becomes the one credential you can use on all your friends' sites. Self-hosted distributed identity for privacy AND ease-of-use.
I'm really happy that you're willing to take this discussion with me.
I totally understand what makes IndieAuth is a good solution. And it seems really easy. For me. But I have no idea how I would go about explaining it to, let's say, my mom.
Apple is offering something very similar to what Promise does. The difference is that Apple is a commercial corporation. Which means they're in the game to make money. Promise will be in the game to make authentication easy, secure and private.
In many ways I compare the goal of Promise, with the goal of DNS. Take a commodity and make it available globally in a reliable way. Yes, it will be a single point of failure. So the job of Promise will in large be, to keep the platform secure and reliable.
The mom-test is a good one, I'll have to think more about it. The truth is the advantages and disadvantages of various authentication systems are subtle, and hard for a lot of technical people to understand, much less care about.
Apple is a commercial corporation, and one of the biggest (by market cap) companies in the world. That gives me confidence that they'll be around for a long time, have sufficient resources to invest in security and reliability, and they have a well-established reputation for a focus on security. They do other things I don't like[1], but I think this is one area where they're setting really good precedent.
In addition, it's going to be difficult getting any sites (outside of maybe the crypto/grey-market) to adopt an auth system that doesn't let them contact their users. This is also I think a big failing of IndieAuth.
Promise is basically challenging the assumption that authentication has anything to do with both personal identity and being able to contact a user.
If a site needs to contact the user, it's reasonable to ask for eg. an email. But now the intent of asking for an email has to be crystal clear, which makes you and them more aware of what data you are actually giving them.
Apple sure is doing some good stuff with their authentication solution and their efforts to help people with healthier passwords habits. I'm still not too fond of having such fundamental infrastructure owned by a private company. Would you be comfortable handing over DNS to Apple?
Aligns really well with using your own domain for email instead of gmail.
[1] https://indieauth.net/